Threat Research

Researchers have analyzed the infrastructure tactics of two state-sponsored groups: Gamaredon (linked to Russia) and RedFoxtrot/ShadowPad (linked to China). Gamaredon targets Ukrainian, Western, African, and NATO entities, using low-frequency DNS techniques, rapidly changing IPs, and a reusable TLS certificate for its .ru domains, making takedown difficult....

Since our previous update in early February on the advanced persistent threat (APT) group Trident Ursa (also known as Gamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine has continued to face escalating cyber threats from Russia. The Security Service of Ukraine attributes Trident Ursa to Russia’s Federal Security Service (FSB)....

BlueAlpha is a state-sponsored cyber threat group linked to the Russian Federal Security Service (FSB), with ties to known groups such as Gamaredon, Shuckworm, Hive0051, and UNC530. Active since at least 2014, BlueAlpha persistently targets Ukrainian organizations through aggressive spearphishing campaigns....

Gamaredon—also known as Primitive Bear, Actinium, or Shuckworm—is a Russian Advanced Persistent Threat (APT) group active since at least 2013. While historically targeting the US and Indian Subcontinent, their recent focus has shifted toward Ukraine, including attacks on Western government entities....

A campaign targeting users in Ukraine is using malicious LNK files, which run a PowerShell downloader. These files are named with Russian words related to troop movements in Ukraine to lure victims. The downloader connects to geo-fenced servers in Russia and Germany to retrieve a second-stage Zip file containing the Remcos backdoor....